On Mastodon at least, neither authorized fetch, nor "disallow unauthenticated API requests" really stops the outflow. it does in an ActivityPub sense, however, I have both flags activated on my instance, but Mastodon has an RSS feed for every account, by just adding .rss to the profile URL, and anyone can pull that without authentication.
The option to turn off .rss feeds for accounts doesn't exist in a standard mastodon install. the Hometown fork of Mastodon has the option to disable it.
So while the flags above will help prevent random discovery/propagation by others on the Fediverse, there are still open doors for accessing the data, at least on Mastodon. I can't really speak for the other projects.